I was reading two articles this weekend which seemed to converge in my simple mind and gave way to an audacious scenario. The first was “The Law and Policy of Targeted Killings” by Gabriella Blum and Philip Heyman. Blum and Heyman are Harvard Law School professors who wrote a paper for the Harvard Security Journal that explored the U.S. policy of “targeted killing—the deliberate assassination of a known terrorist outside the country’s territory…an essential part of their counterterrorism strategy. ..an inevitable means of frustrating the activities of terrorists who are directly involved in plotting and instigating attacks from outside their territory.”
The paper discussed the “complex legal, political, and moral judgments” and very broad implications involved in a policy of targeted killings as a coercive tactic employed in the war on terrorism. Blum and Heyman state “Unlike detention or interrogation, it is not designed to capture the terrorist, monitor his or her actions, or extract information; simply put, it is designed to eliminate the terrorist.”
Then I read a Forbes article about how many corporations practice backward focused or reactive network security. An example given is when a network breach occurs where valuable data or property is stolen, valued in the millions. The response then is to hire a security firm to harden the network or initiate other company wide changes to prevent the breach from reoccurring.
This example was likened to what happened with airport security. It was after someone tried to detonate a bomb in their shoe and hide a bomb in their underwear that the policy of removing shoes and full body scans was initiated at airport screening gates. The security policy was in response to an event, rather than proactive in which the most likely methods a terrorist would use were anticipated and thus preventive initiatives were put in place ahead of an actual event.
Here’s where the two articles converged in my head. What if a cyber security attack of a nefarious nature led to a response that included the targeted, contractual killing of the cyber terrorist? What if the war on terrorism were to classify cyber terrorists in the same manner as terrorists hell-bent on destruction of human life and property?
Sound farfetched? Well consider the NSA’s (National Security Agency) Defense in Depth strategy as laid out in their paper, “A practical strategy for achieving Information Assurance in today’s highly networked environments” which begins with the following paragraph:
“Adversaries, Motivations, Classes of Attack. To effectively resist attacks against its information and information systems, an organization needs to characterize its adversaries, their potential motivations, and their classes of attack. Potential adversaries might include: Nation States, Terrorists, Criminal Elements, Hackers, or Corporate Competitors.”
It’s a chilling thought that a backward focused response to a cyber attack could lead to targeted killings as a way of eliminating the reoccurrence of the threat. But even in the remote recesses of my imagination I could only see a scenario like that developing from a position of desperation and fear.
However, you’ll never have to be in that position if you have a forward-focused security strategy. In the words of Jeffrey Carr, the CEO of Taia Global, Inc: “Manage the risks that lie before you; anticipating the who, what, when, where, and how of an unknown adversary who may be targeting you and your company, or determining if you even are a target in the first place. You can’t do any of this if your entire approach to cyber security is looking at repairing what just transpired and preventing that same attack from happening in the future. If you do, you’ll always be surprised by a new attack vector…”